0

I am trying to add SNAT NFT rule for IPv6 in my router. Any ougoing packet through interface enp1s0 should be SNATted with the below IPv6 address. These are the rules I tried and errors.

nft add rule inet nat postrouting oifname "enp1s0" snat ip6 to 2401:fb00:0:1ff::32d/64

Error: Could not process rule: No such file or directory add rule inet nat postrouting oifname enp1s0 snat ip6 to 2401:fb00:0:1ff::32d/64 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

nft add rule nat postrouting oifname "enp1s0" snat to 2401:fb00:0:1ff::32d

Error: Could not resolve hostname: Address family for hostname not supported add rule nat postrouting oifname enp1s0 snat to 2401:fb00:0:1ff::32d ^^^^^^^^^^^^^^^^^^^^

nft add rule nat postrouting ip6 oifname enp1s0 snat to 2401:fb00:0:1ff::32d

Error: syntax error, unexpected oifname add rule nat postrouting ip6 oifname enp1s0 snat to 2401:fb00:0:1ff::32d ^^^^^^^

These are the issues I get. Any help would be appreciated.

Mani Varma Indukuri
  • 1
  • 1
  • IPv6 does not have NAT the way IPv4 does. What you are trying to do is a kludge to try to keep IPv4 until IPv6 is ubiquitous. IPv6 restores the IP end-to-end paradigm by giving every host a public address. There is an _experimental_ RFC for IPv6 NAT, but it requires one-to-one NAT, but it forbids the variant where you hide multiple hosts behind a single address the way you do for IPv4. – Ron Maupin Nov 02 '21 at 16:15
  • I can add SNAT rule for IPv6 LAN to WAN using ip6tables in different router but couldn't do so using NF tables. – Mani Varma Indukuri Nov 03 '21 at 11:54
  • Yes, Linux allows it, but there is no RFC for IPv6 that does, and it breaks IPv6 features. With IPv6, you should use IPv6 Prefix Delegation and assign each host its own unique public address. That is how it is designed. NAT is a kludge that breaks th IP paradigm, and it breaks IPv6 features. IPv6 fixes many IPv4 problems, including the address shortage of IPv4. – Ron Maupin Nov 03 '21 at 12:20
  • 1
    See the _experimental_ [RFC 6296](https://www.rfc-editor.org/rfc/rfc6296.html#section-6): that explains it is a 1:1 NAT, and port mapping is forbidden "_Since there is significant detriment caused by modifying transport layer headers and very little, if any, benefit to the use of port mapping in IPv6, NPTv6 Translators that comply with this specification MUST NOT perform port mapping."_ – Ron Maupin Nov 03 '21 at 12:32

1 Answers1

1

You can try:

nft add rule ip6 nat postrouting meta oifname enp1s0 snat to 2401:fb00:0:1ff::32d

Ref: Quick reference-nftables in 10 minutes

billyklh
  • 49
  • 1
  • 5